North Korea-based hackers have engaged in a large scale digital skimming activity since May 19, breaking into online stores like international fashion chain Claires to insert malicious code that steals payment card details of the users in the US and Europe, a new report revealed on Monday.

Dutch cybersecurity company Sansec has found proof of global web skimming activity that has multiple, independent links to previously documented and North Korea attributed hacking operations.

"Hackers associated with the APT Lazarus/ HIDDEN COBRA group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as May 2019," said the report.

Hacker
Representational Picture Pixabay

Hacking Activity Extends To Several Areas

Previously, North Korean hacking activity was mostly restricted to banks and South Korean crypto markets, covert cyber operations that earned hackers $2 billion. New research shows that they have now extended their portfolio with the profitable crime of digital skimming.

Digital skimming, also known as Magecart, is the interception of credit cards during online store purchases. This type of fraud has been growing since 2015 and was traditionally dominated by Russian and Indonesian-speaking hacker groups. "This is no longer the case, as the incumbent criminals now face competition from their North Korean counterparts," said the report.

Using Booby-trapped Emails

In order to intercept transactions, an attacker needs to modify the computer code that runs an online store. HIDDEN COBRA managed to gain access to the store code of large retailers such as international fashion chain Claire's.

"How HIDDEN COBRA got access is yet unknown, but attackers often use spearphishing attacks (booby-trapped emails) to obtain the passwords of retail staff," the security researchers mentioned.

Curiously, HIDDEN COBRA used the sites of an Italian modeling agency and a vintage music store from Tehran to run its global skimming campaign. Sansec monitored millions of online stores for skimming activity and found 30 to 100 infected online stores per day.

Additionally, the US-based security firm Rewterz has reported a spearphishing attack targeting attendees of the annual Consumer Electronics Show (CES) in Las Vegas that was widely reported.